-
Notifications
You must be signed in to change notification settings - Fork 649
URL whtielist Bypass
JoyChou edited this page Jun 22, 2019
·
9 revisions
用java.net.URL类的getHost被绕过情况
- Java 1.8.0_102
- Chrome 74.0.3729.169
@RequestMapping("/url_bypass")
@ResponseBody
public String url_bypass(HttpServletRequest request) throws Exception{
String url = request.getParameter("url");
System.out.println("url: " + url);
URL u = new URL(url);
// 判断是否是http(s)协议
if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
return "Url is not http or https";
}
String host = u.getHost().toLowerCase();
System.out.println("host: " + host);
if (host.endsWith("." + "joychou.org")) {
return "good url";
} else {
return "bad url";
}
}
http://localhost:8080/url/url_bypass?url=http://evil.com%[email protected]/a.html, URL类getHost为www.joychou.org,在白名单中。但是通过浏览器直接访问http://evil.com#@www.joychou.org/a.html, 浏览器请求的是evil.com,导致绕过。
当getHost的域名在白名单内,并且getHost的域名和浏览器实际请求域名不一致,就会产生安全问题。
url白名单绕过的各种payload:
- http://www.joychou.org.evil.com
- http://www.eviljoychou.org
- http://www.evil.com/www.joychou.org/
- http://www.joychou.org#@evil.com
- http://evil.com\www.joychou.org/a.html
- http://evil.com\@www.joychou.org/a.html
- http://evil.com#@www.joychou.org
- http://evil.com?%[email protected]/